MilanBortel
-
Posts
128 -
Joined
-
Last visited
Posts posted by MilanBortel
-
-
Hi @StanAsterisque,
I have no info about this being a known issue.. To be honest, as with any other AV vendor, there are typical scenarios we deal with - Kaspersky is blocking this and that.. Kaspersky thinks this is a malicious app, but it’s not - it is our internal tool … so of course, we have to be able to work it out somehow 🤕To resolve this, I’d recommend simple test - let KSWS run on the affected server, but use policy settings to switch off/on one module after other and see if the CPU usage has decreased or not.. In other words - try to identify which component/task might be the cause..
Once we know the specific module, then we can optimize the policy, you know.. 🤓
Cheers,
Milan -
Hi @StanAsterisque,
what products/versions are you using? Did you install Kaspersky Security for Windows Servers on that hosts? That’s the recommended version on server OS. I’d start with that 🤠Cheers,
Milan -
Hi @rinnofer,
it might be interesting to see what policy was active on this specific host. Can you share with us?Do you have password protection enabled for KES operation? And also for Network Agent?
These are crucial settings. If you personally can turn off KES on the server, then the attacking malware can do the same. Not being KES problem rather the configuration issue 🙄
Let us know!
Cheers,
Milan -
Hi @Kumar_K,
well, I think that after restoration of the old KSC backup on the new KSC, there is no further action needed. All the keys will be restored and available. So you will just move all the computers to the new KSC.One more thing came to my mind. On the computers KES stores these encryption/decryption keys also locally, so they could work offline (with no KSC connectivity). And after you move the computers to new KSC, they will sync these keys with KSC if they are missing.. does it make sense to you? 😜
Milan
-
Hi @MilanBortel
Thanks for the detailed description. Yes, I can request our helpdesk to keep track of such requests from the users. For such scenarios I could just simply decrypt and re-encrypt those computers in the new server. The full disk encryption should be find. But my fear is is about the encrypted USB drives. We have enabled USB drive encryption in portable mode. We have no control over the number of USB devices the users own. The USB drives can also be their personal device. If a user encrypt a new USB drive during the transition (it should be that long, 2-4 hours at max) there is a chance to loose that particular key right? I tried to discover the KSC reporting but there is no option to generate a report on when a USB key was encrypted.
I noticed that, there is an option in the KSC server’s properties to export and re-import Encryption keys in a new administration server but I don’t its doing anything at all. I tried to re-import the keys in a staging KSC server (clean instance) but I can’t see any information about encrypted drives post import process.
Yeah, @Kumar_K
the option to import Encryption keys IMHO means that the new KSC server would use the old KSC’s master encryption key and thus being able to manage all external encrypted drives.
You know, with KSC installation, there are always SSL certificate and master keys for FDE and FLE generated..
However, if you restore the backup from old KSC to new KSC, all the keys and certs will be restored, so I would fear no more.. I think external USB will work just fine with the new KSC 😇
Cheers,
Milan -
Hi @Kumar_K,
when you forget the BitLocker PIN, you have to enter the recovery key:
BitLocker recovery key prompt This is the MMC interface:
BitLocker recovery key After successful boot, user is prompted to change the password:
BitLocker Change password prompt After password change, both recovery key and recovery key ID are updated on KSC side:
KSC - BitLocker recovery key and ID has been changed If KSC backup has been made prior to this update, I’d assume that the new recovery key won’t be available after restore in new KSC.. haven’t tested that scenario, though.
So, my recommendation - the migration process should take place either over night or during weekend, where the risk of this inconsistency would be minimized. Anyway, you can run both old and new KSC for few days after migration and keep backups to be able to restore access to encrypted drives if that occured during the migration process.
I believe that you do have documentation of this, right? To be able to say which user has asked for which recovery key at what date/time.. 😀
Cheers,
Milan -
Hi @Kumar_K,
from my experience it works fine. I personally did it this way:- back up old KSC
- install new KSC on new host
- restore backup from old KSC (after this step, all encryption/decryption keys are present on new KSC)
- reconnect all hosts to new KSC (change administration server task or reinstall Network Agent with new connection settings)
Change Administration Server task
tadaaaaa 🤠
Let us know, if you have any further questions
Cheers,
Milan -
@MilanBortel its KES
Thanks, well.. maybe it’s a good idea to use KSWS instead. This product is tested on servers, more suitable then KES (this is meant to be used on personal OS) 🤡
Anyway, let us know the outcome from support, it is always interesting to see how the troubleshooting worked out :)
Cheers,
Milan -
Hi @osama.mansoor,
you don’t say what security product you have installed on the server?It’s either the KES (https://support.kaspersky.com/kes11) or KSWS (https://support.kaspersky.com/ksws11).
Let us know, so we can assist you more effectively 😎
Cheers,
Milan -
Hi @apts,
can you share your KES policy with us? I suppose you don’t have the firewall rules set up correctly 🤠Cheers,
Milan -
Hi @chaibou,
can you check, if on the target host is the encryption component installed?- open device properties
- go to applications, select KES and open properties:
Device properties→Applications→KES Properties - Switch to components and check the Status:
KES Components
Can you share printscreen with us? It may help to track the cause..
Cheers,
Milan -
sorry, it will be better the first article, you don’t need to change the tracing level …
Trace files using registry keys Cheers,
Milan -
Hi @MunirOmar,
maybe you can check your registry keys → we can turn on/off trace files directly in registry 🤠Follow instruction nr. 5) in this article:
Trace files using registry keys Then delete the log file and see if it’s recreated again.
Good luck,
Milan -
Hi @MunirOmar,
thanks for clarification. Firstly, I’d recommend to use different Kaspersky product for servers (KSWS), as it’s designed and tested for that OS type. See this link for more details.If you want to stay with KES, I’d try to pause protection for that host (via console or locally from system tray):
KES → Pause protection When it’s paused, delete that log file, then enable protection and see if that log file is recreated again.. 🤓
Cheers,
Milan -
Hi @a.suljevic,
I tested the upgrade from KSC12 to KSC13.. it went ok, without any problems.. But according to discussions here in community and some other info I’d recommend for you to wait with upgrade until first patch “A” is released. It’s like with every other software new releases, you know 🤓Cheers,
Milan -
Hi @MunirOmar,
what security product did you install? In you screenshot I can see a file called KES.11.3. … so, I assume you installed Kaspersky Endpoint Security for Windows on your server? Did you recently try any troubleshooting using Remote Diagnostics? You could have left the traces ON..KSC Remote Diagnostics Utility → traces Cheers,
Milan -
Hello @mhoude,
I believe it is possible 🤔 What type of license you have? The minimum for my scenario is Kaspersky Endpoint Security for Business - Select (more on licensing here)First, you need to install Kaspersky Security Center (administration server), you must have SQL server installed beforehand. See details on installation in online help. You can use either MMC console or web console, whatever suits you best.
Second, you will install Kaspersky Network Agent on every computer in the company (which is responsible for communication between hosts and server). Don’t worry, there are automated remote installation tasks, you won’t have to go one by one any more. After Network Agent is installed, devices become “manageable” - you will see them from the console. More details in online help.
Third, you divide computers to management groups and create policies for each product (Network Agent, Kaspersky Endpoint Security for Windows, Kaspersky Security for Windows Server, ..). See more about policies in online help.
Let us know, if you need any further help 🤠
Cheers,
Milan -
Hi @Dolomite,
I’d recommend to read this article to fully understand the FW management in KSWS. It’s not that straightforward.In my environment, we kept FW management based on GP and did not install FW management component on servers..
Let me know, if you need any further assistance 😉
Cheers,
Milan -
Hi @AlexandreVsr,
from my experience the easiest way is via automatic installation.- setup the uninstallation password in installation package:
Network Agent installation package Properties → Settings - create group for “migration” and go to properties, select the package:
Group Properties → Automatic installation - automatic installation task is created:
Automatic installation task - you can update properties, if necessary:
Automatic installation task Properties → Settings - then simply move computers to this group and that task will take care of the job 🤠
Let us know, if it worked for you 😜
Cheers,
Milan - setup the uninstallation password in installation package:
-
Hi @MR_DWW,
I want to record a video tutorial with KSC + MySQL DB installation, but didn’t have time yet :(But there is one answer crystal clear:
3. No, you can only use one DB with KSC. And unfortunately you cannot “change it later” .. If you want to change DB provider, you need to reinstall entire KSC. But you can backup/restore data, at least..
Will try to record the video soon, but can’t promise.. f-ing pandemic lockdown :(Cheers,
Milan -
-
Hi @KP Holland,
to be sure of your server compromise, I’d recommend to check IOC’s using script released by Microsoft. You can read more at https://www.arnnet.com.au/article/686750/microsoft-releases-script-spot-exchange-server-zero-days/Get back to us if you know the result 🤠
Cheers,
Milan -
Hi @ak01 and @stojan,
based on online help, you are doing it the proper way - using masks should be suported (see online help).If it doesn’t work, you may have to submit a ticket via companyaccount and let support engineer take care of it :)
Cheers,
Milan -
Hi @SnowyCanada,
you can always download key file based on your activation key from Kaspersky website:Kaspersky → claim the key file see more at this article.
Let us know if it helped :)
Cheers,
Milan
Kaspersky Security Center 13.2 Upgrade - Parallel Migration
in Kaspersky Endpoint Security for Business
Posted
Hi @Kumar_K,
great it all worked out 😉
Take care,
Milan